CVE-2020-13959Cross-site Scripting in Software Foundation Apache Velocity Tools

CWE-79Cross-site Scripting7 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
3.2%
top 12.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache Software Foundation Apache Velocity ToolsApache Velocity ToolsDebian Velocity-tools+1 more
Timeline
PublishedMar 10
Latest updateAug 10

Description

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

CVEListV5apache_software_foundation/apache_velocity_toolsApache Velocity Tools3.1
debiandebian/velocity-tools< velocity-tools 2.0-8 (bookworm)

Also affects: Debian Linux 9.0

🔴Vulnerability Details

3
GHSA
Cross-site scripting (XSS) in Apache Velocity Tools2021-03-12
OSV
Cross-site scripting (XSS) in Apache Velocity Tools2021-03-12
OSV
CVE-2020-13959: The default error page for VelocityView in Apache Velocity Tools prior to 32021-03-10

📋Vendor Advisories

3
Ubuntu
Velocity Tools vulnerability2023-08-10
Red Hat
velocity: XSS in the default error page for VelocityView2021-03-09
Debian
CVE-2020-13959: velocity-tools - The default error page for VelocityView in Apache Velocity Tools prior to 3.1 re...2020
CVE-2020-13959 — Cross-site Scripting | cvebase